From owner-freebsd-pf@freebsd.org  Sun Jun  5 11:48:14 2016
Return-Path: <owner-freebsd-pf@freebsd.org>
Delivered-To: freebsd-pf@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8027BB6B77A
 for <freebsd-pf@mailman.ysv.freebsd.org>; Sun,  5 Jun 2016 11:48:14 +0000 (UTC)
 (envelope-from amn.brhm.sb@gmail.com)
Received: from mail-wm0-x22c.google.com (mail-wm0-x22c.google.com
 [IPv6:2a00:1450:400c:c09::22c])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 1DAC41CB5
 for <freebsd-pf@freebsd.org>; Sun,  5 Jun 2016 11:48:14 +0000 (UTC)
 (envelope-from amn.brhm.sb@gmail.com)
Received: by mail-wm0-x22c.google.com with SMTP id z87so45025112wmh.0
 for <freebsd-pf@freebsd.org>; Sun, 05 Jun 2016 04:48:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:from:date:message-id:subject:to;
 bh=yarSepgMfIGvGut/yWYIL9El/nndhSAwYuSOMjdr9dA=;
 b=pLI57YYVkwqHawFESiQokY2eUcHJ2egeMA7NJJzwuoQJhUgTXBySspvBdcmvKGcmuZ
 stiIahPyD2tDyP8pQs70wK9b6uQjzdqTFnGG3AOk9maS85Yvnl+UeL4vPEBHkc8bkdA4
 jsrSBjgIwOjOUPfjvJirsYheaZxrChjsctups/dHrTkEAhg1wFvs9M7ti6b7LCPx4QL8
 Ia7Fffdz4inmbBA0eb/rc3RL4U6J9r6kXhhdv7Z/NDHqKQdw3qp5219DIUJVWb19iQWm
 6Q4xHX1gYz7o4kncq2X38onQJynrvrPrdTkRkrMN7kojR/7rzPbplzE/OGdqx6rOCvN4
 6U9g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
 bh=yarSepgMfIGvGut/yWYIL9El/nndhSAwYuSOMjdr9dA=;
 b=NUUHomeeV6s1JnoRSAvbQKjSnJGM9SdNzsT7s8lQKwtJruGmKB6vKM255S8MzToDSC
 99kfTCrVmY71e9hynaFUvCwLqYuo9Gdi0m3hDWhpMqCH6HR5DgTANDZbm4bNdbfl6mnD
 kHWUs92QcQa36dnkMMggbAbOJP180tU9+uU6SMgmvrH3XEaBY+kOK7gq0BEbxyuSix/l
 aoSBPNLOzDPfBbOsF1l9INbYq7zBLdsiXLJ/SK1Pi0w3NCIfmA2gxeTpHXwsplEgW8Yb
 GELw0E3Lz8UdS/AQQp5hypdbZP14rmMCjmrR6XpJWmsGY5AYMvGrZi2SFMy5NRguI1cp
 2aHg==
X-Gm-Message-State: ALyK8tI5rUx3ufNhrJHU6D8Cwb+m3D7RQLGzs1kkW0JnAATOu0Eks1ol7V5H32Vpv1Mtn/0RnKfZCeLqu5zE5w==
X-Received: by 10.28.165.66 with SMTP id o63mr7639794wme.102.1465127292627;
 Sun, 05 Jun 2016 04:48:12 -0700 (PDT)
MIME-Version: 1.0
From: Amin Saba <amn.brhm.sb@gmail.com>
Date: Sun, 05 Jun 2016 11:48:03 +0000
Message-ID: <CAMuas+dL_2WQJ5t_MDacu90Tf7_tvLcYSuAvpdun2OKTJVe7WA@mail.gmail.com>
Subject: Dangling states problem
To: freebsd-pf@freebsd.org
Content-Type: text/plain; charset=UTF-8
X-Content-Filtered-By: Mailman/MimeDel 2.1.22
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 05 Jun 2016 11:48:14 -0000

*Dangling states problem*: pf consults its state table before the rule set
(as it should). So even after adding a rule to block certain connections,
the ones that have a corresponding entry in the state table will continue
uninterrupted.

AFAIK, pf does not have any built-in/native mechanism to
*automatically* terminate
states that go against the current rule set.

Sifting through the states and manually "pfctl -k"ing unwanted states does
not look like a sustainable solution to this problem.

I am writing a python script to automate this process, as much as possible.

My questions are:

Do you know any other projects aiming at this?

Is there anything on the roadmap for the pf project to address this issue?

Are there any major road blocks to implementing this directly in pf?


Can someone shed more light on this, please?
Thanks.